[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Xen security updates on Wheezy

On 2016-03-26 01:36:43, Brian May wrote:
> Antoine Beaupré <anarcat@orangeseeds.org> writes:
>> They seem to hold, although I have yet to test them in production. One
>> thing I noticed is that they don't seem to fix CVE-2015-8104 and
>> CVE-2015-5307, ie. that the patches you posted in
>> <87d1qvvzhi.fsf@prune.linuxpenguins.xyz> were not factored into the
>> package. That would seem to be important (and maybe we could push those
>> back towards the Ubuntu folks as well).
> That is correct, I had two patches previously that I did not incooporate
> yet:
> -rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
> -rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch
> I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
> so we don't need to worry it.

Those two patches actually *are* in the patch series in the packages you
built, as xsa125-4.2.patch and xsa156-4.2.patch, respectively. So
obviously, those patches don't apply. :)

In other words, I believe your package build is complete.

> Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
> CVE-2015-8104 - so it is possible this means the above patch will not
> apply cleanly.

Hmm... maybe an oversight on their part. XSA-156 is composed of two
distinct vulnerabilities which got assigned the two CVEs above. The
xsa156-4.2.patch explicitly fixes both of those issues.

> Then there are just these three CVEs unaccounted for (and possibly don't
> matter):
>             - CVE-2014-5146 (marked No DSA)
>             - CVE-2014-5149 (marked No DSA)
>             - CVE-2014-8341 (marked No DSA)

I assume you mean CVE-2015-8341 for the latter. :) For that one, i
agree with no-dsa, it may be even not-affected, actually.

For the other two, I am not sure. Given the number of fixes we are
backporting, however, i am tempted to agree with the assesment ("too
intrusive to backport"), given the lag we're having with all this. 

I also note that 3 more vulnerabilities came up in Xen since I looked at
this, so I need to sit down to filter through those again.

I'll send a debdiff when i'm done.


It is the greatest of all mistakes to do nothing because you can only
do little. Do what you can.
                         - Sydney Smith

Reply to: